Versions Compared

Old Version 8

changes.mady.by.user Unknown User (gierlinger)

Saved on

compared with

New Version 9

changes.mady.by.user Unknown User (scheipner)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

The following two OAuth2 configuration examples (LinkedIn & Facebook) show you how to configure it. Because these two guides are external services the procedure may change by time. They should show you the basic concept tow to configure OAuth2
Note: To force a specific user the response must be JSON!

OAuth 2.0 (Azure AD)

Step 1: Register a new Application in your Azure AD

Link to Microsoft documentation: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

  1. Sign in to the Azure portal.

  2. If you have access to multiple tenants, use the Directories + subscriptions filter Image Added in the top menu to switch to the tenant in which you want to register the application.

  3. Search for and select Azure Active Directory.

  4. Under Manage, select App registrations > New registration.

  5. Enter a display Name for your application (e.g. "my-eSAW-Authenticator").
    Users of your application might see the display name when they use the app, for example during sign-in.
    You can change the display name at any time and multiple app registrations can share the same name.

  6. Specify who can use the application (e.g.: "Accounts in this organizational directory only")

  7. Don't enter anything for Redirect URI (optional). You'll configure a redirect URI in the next section.

  8. Select Register to complete the initial app registration.

When registration finishes, the Azure portal displays the app registration's Overview pane.

You need two details from that page that you should now copy for later usage:

  • Application (client) ID
  • Directory (tenant) ID
Step 2: Configure platform settings

  1. In the Azure portal, in App registrations, select your application.

  2. Under Manage, select Authentication.

  3. Under Platform configurations, select Add a platform.

  4. Under Configure platforms, select the tile "Web" to configure a web app.

  5. Enter the following Redirect URI: https://<eSignAnyWhere URL>/Account/ValidateOAuth (e.g.: https://demo.esignanywhere.net/Account/ValidateOAuth)

  6. Select Configure to complete the platform configuration.

  7. Under Implicit grant and hybrid flows (still on the Authentication page) make sure "ID tokens (used for implicit and hyprid flows)" is enabled
  8. Leave Allow public client flows disabled, this is not needed.
  9. Click Save to complete the configuration
Step 3: Add a client secret
  1. In the Azure portal, in App registrations, select your application.
  2. Select Certificates & secrets > Client secrets > New client secret.
  3. Add a description for your client secret.
  4. Select an expiration for the secret or specify a custom lifetime.
    • Client secret lifetime is limited to two years (24 months) or less. You can't specify a custom lifetime longer than 24 months.
    • Microsoft recommends that you set an expiration value of less than 12 months.
  5. Select Add.
  6. Record the secret's value for use in eSignAnyWhere later on. This secret value is never displayed again after you leave this page.
(Optional) Step 4: OpenID Connect discovery document

Link to Microsoft documentation: https://docs.microsoft.com/en-us/azure/active-directory/develop/userinfo

This step is optional as Microsoft doesn't change it's OAuth configuration very often, but it's good to know where to find your OpenID Connect discovery document.
You need the Directory (tenant) ID from Step 1, then call the following URL (no authentication needed):

https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0/.well-known/openid-configuration

For the eSignAnywhere configuration you need the following properties:

  • token_endpoint
  • authorization_endpoint
  • userinfo_endpoint
Step 5: Configure eSignAnyWhere
  1. Login to eSignAnyWhere with a user that has administrative permissions on your Organization.
  2. Open the Settings > Identity Providers page and add new OAuth Settings for User Authentication.
Provider NameIf "Share on login page" is enabled, this name will be displayed on the login page, so make sure it identifies your organization.
e.g.: Azure AD for <Organization name>
Direct access urlIf "Share on login page" is disabled, this link is needed to login to eSignAnyWhere with OAuth 2.0.
Make sure you bookmark this link.
Redirect UrlThis is already set and has to be white listed on Azure AD. We already entered this URL in Step 2, make sure it is the correct URL.

Client Id

your "Application (client) ID" from Step 1
Client Secret:your secret's value from Step 3
Scope:openid email
Authorization URI:your authorization_endpoint from Step 4 or simply
https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/authorize
Token URI:your token_endpoint from Step 4 or simply
https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/token
Logout URI:can be blank
Share on login pageDepending on the server settings this property might not be visible to you. If enabled your provider name will show up on the login page.
Ressource Parameter:oauth2_access_token
Ressource URI:

your userinfo_endpoint from Step 4 or simply

https://graph.microsoft.com/oidc/userinfo (oauth_token)

Click on "Add field" and enter "email" and map it to "User Email Address"

  1. Click on Update to save the configuration
Step 6: Add OAuth provider to existing users 
  1. Login to eSignAnyWhere with a user that has administrative permissions on your Organization.
  2. Open the Settings > Users page and edit the user you want to add the OAuth provider to
  3. Under OAuth assignments click on the + icon and choose your previously created OAuth provider
  4. The user will now get a validation email to finish the setup.
Step 7: Login to eSignAnyWhere using OAuth 2.0

The OAuth provider might not be visible on the login page, depending on the setting "Share on login page" in Step 5.
Use the "Direct access url" instead.

OAuth 2.0 (eID)

ID Austria

Info

Please also see the following documentation about ID Austria (German documentation only): https://eid.egiz.gv.at/anbindung/direkte-anbindung/anbindung-oidc/

...